Concerns about our online security have barely been out of the news ever since the Cambridge Analytica Facebook data breach scandal hit the headlines a few weeks ago.
After learning that our data, given over in good faith to Facebook, had been given away and then sold to allegedly nefarious operators, there were widespread calls to #deletefacebook before the company eventually rolled out a series of changes with the purpose of making their privacy tools easier to find.
The story has made people suddenly start to question exactly what information they’ve freely been given to giant tech corporations, what’s being done with it and whether we should be quite so free and easy with giving it to them.
Which is all very sensible.
But we shouldn’t also forget that the old, classic methods of getting us to part with sensitive information are still very much in operation out there.
Twitter user @_thp shared a recent phishing scam that they were subject to; and it’s so fiendishly clever that it’s gone viral.
This is the most CLEVER phishing scam I’ve ever encountered and for a second it almost got me.— Tiller, but with a seat next to me (@_thp) March 31, 2018
Here’s how it works: they ask you to send them the password reset code they have requested gmail send to you, claiming it will stop someone’s access but in fact it just lets them in. pic.twitter.com/OUCbw4BmqU
The scam sees the victim being sent a text asking whether they’ve requested a password reset for their Gmail account - and, if not, to reply with the word ‘STOP’.
Naturally, the less savvy will respond with ‘STOP’, whereupon they are urged to send the 6 digit numerical code in order to prevent the password being changed.
Of course, what’s really happened here is that the scammer has requested a password change on your account which, in turn sends a code to the actual owner to verify that they actually want the password changed. By sending the scammer the code, you’re enabling them to complete the password change, which will then enable them to access your emails.
So what should you do if you get one?
Simple: companies will never ask if you don’t want to do something with your account or to ask you to do something to stop something else happening. And trust your own memory - you didn’t ask for a reset, so you shouldn’t be asked about one. Do not reply to the text (doing so will tell the scammers that they have reached a valid number).
Oh, and ensure you have 2-step verification set up on your Google account.
Stay safe out there people.